Cerberus (Banker)
Cerberus is a banking trojan that relies on the accelerometer sensor to delay its running on the system. Cerberus has recently stepped into the malware-as-a-service business filling the void left by the demise of previous Android bankers. The malware author(s) claim that it was used privately for the past two years and that they created Cerberus from scratch over several years. Payload Transmission The operators of the malware advertise their service in the open, without fearing consequences from exposing indicators of compromise and other details. A Twitter account is used to promote the tool to potential buyers and shows image captures with low or zero detection rates from multiple scanning services. A thread directed at security researchers offers a few details about the malicious APK used with Cerberus and boasts that it is an original creation that spent several years in development. YouTube is another advertising channel. A video presentation on Google's platform goes through the command and control capabilities and demonstrates interaction with an infected system from entry to remote removal procedure. Bot management is done through a console that makes it easy for the administrator to push various commands to the compromised system. Infection Cerberus poses as a Flash Player application. When it executes on a system, the malware hides its icon and demands increased privileges through the Accessibility Service. Then it starts granting itself additional permissions that allow it to send messages and make calls without user interaction. According to the researchers, the malware also disabled Google Play Protect to prevent discovery and disinfection. The set of features available in this trojan are standard and does not show any signs of innovative or special functions like a back-connect proxy, remote control, or screen streaming, which are present in more advanced Android bankers. Using the functions below, Cerberus manages to keep a low profile for its operations: Overlaying: Dynamic (Local injects obtained from C2) Keylogging SMS harvesting: SMS listing SMS harvesting: SMS forwarding Device info collection Contact list collection Application listing Location collection Overlaying: Targets list update SMS: Sending Calls: USSD request making Calls: Call forwarding Remote actions: App installing Remote actions: App starting Remote actions: App removal Remote actions: Showing arbitrary web pages Remote actions: Screen-locking Notifications: Push notifications C2 Resilience: Auxiliary C2 list Self-protection: Hiding the App icon Self-protection: Preventing removal Self-protection: Emulation-detection Architecture: Modular The payload and string obfuscation are normal techniques for making analysis and detection more difficult, but Cerberus also uses a mechanism that determines if the infected system is moving or not. The trojan achieves this by reading data from the accelerometer sensor present on Android devices to measure the acceleration force on all three physical axes, X, Y, and Z, also considering the force of gravity. By implementing a simple pedometer, Cerberus can track if the victim is moving using the code below. A real person will move around, generating motion data and increasing the step counter. ... this.sensorService.registerListener(this, this.accelerometer, 3); Sensor localSensor = sensorEvent.sensor; this.sensorService.registerListener(this, localSensor, 3); if(localSensor.getType() 1) { float[] values = sensorEvent.values; float Gx = values0; float Gy = values1; float Gz = values2; long timestamp = System.curTimeMillis(); if(timestamp - this.previousTimestamp > 100L) { long interval = timestamp - this.previousTimestamp; this.previousTimestamp = timestamp; if(Math.abs(Gx + Gy + Gz - this.curGx - this.curGy - this.curGz) / (((float)interval)) * 10000f > 600f) { this.increaseStepCount(); } this.curGx = Gx; this.curGy = Gy; this.curGz = Gz; } } ... if(Integer.parseInt( this.utils.readConfigString(arg7, this.constants.step)) Category:Android Category:Android trojan Category:Mobile Malware Category:Banking malware